Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-sql

From	Thomas Mueller
Subject	Re: Protection from SQL injection
Date	April 27, 2008 09:14:15
Msg-id	5f211bd50804270214s852989me86c61caecadb5b@mail.gmail.com Whole thread Raw
In response to	Re: Protection from SQL injection (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-sql

Tree view

Hi,

> providing a mode in which the server would reject PQexec strings containing more than one query.

That wouldn't help a lot. The simple SQL injection is not detected:

ResultSet rs = stat.executeQuery( "SELECT * FROM USERS WHERE PASSWORD='" + password + "'");

An attacker would only need to use the following password:

' OR 1=1

The the SQL statements is still only one query:

SELECT * FROM USERS WHERE PASSWORD='' OR 1=1

Regards,
Thomas

pgsql-sql by date:

From: "Thomas Mueller"
Date: 27 April 2008, 09:09:03
Subject: Re: Protection from SQL injection

From: Ivan Sergio Borgonovo
Date: 27 April 2008, 09:29:18
Subject: Re: Protection from SQL injection

Re: Protection from SQL injection - Mailing list pgsql-sql

Previous

Next